Catalog source of the Cert Manager fails to connect in a restricted networking policy environment

Symptoms

The following error message is shown in the error log of PackageServer operator in the openshift-operator-lifecycle-manager namespace:

W1215 02:55:18.581552 1 clientconn.go:1331] [core] grpc: addrConn.createTransport failed to connect to {ibm-cert-manager-catalog.ibm-cert-manager.svc:50051 ibm-cert-manager-catalog.ibm-cert-manager.svc:50051 <nil> 0 <nil>}. Err: connection error: desc = "transport: Error while dialing dial tcp 172.30.58.13:50051: i/o timeout". Reconnecting...

Cause

The connections between the openshift-operator-lifecyele-manager and ibm-cert-manager namespaces are blocked in a restricted networking policy environment. The Cert Manager operator in the openshift-operator-lifecyele-manager namespace cannot connect with ibm-cert-manager-catalog in the ibm-cert-manager namespace.

Resolving the problem

To resolve the issue, apply the following network policy in the namespace that deploys the singleton service catalog such as ibm-cert-manager or ibm-licensing:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-from-openshift-operator-lifecyele-manager
  namespace: ibm-licensing/ibm-cert-manager/<your foundational service operator namespace>
spec:
  podSelector: {}
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: openshift-operator-lifecycle-manager
  policyTypes:
    - Ingress